Expert Blogs from Derive Logic

Enforcement of the GDPR began on the 25th May 2018.  How will it affect you?

by Chris Lewis | Mar, 2018 | GDPR

Expert Blogs from Derive Logic

In this short blog, we will address three cumulative questions relevant to our clients:

  • Does the GDPR apply to your organisation?
  • What constitutes processing of personal data?
  • How will the GDPR apply to ITAM, software licensing and your licensing agreements?

First a health warning!

In answering these three questions, we are providing a focussed view of only some of the obligations imposed under the GDPR as it came into force on 25th May as they relate to ITAM and software licensing. If you have still not properly ascertained the full breadth of the challenge to your organisation in responding to GDPR – including such things as data subjects’ rights, international transfers and demonstrating accountability – we recommend that you do so quickly.

Will the GDPR apply to your organisation?

Yes, if your organisation processes personal data outside a purely domestic context then GDPR will apply to some extent. If you have less than 250 employees, you are let off keeping certain documentation (in certain circumstances). But, GDPR still applies. It will touch organisations differently, but my strong recommendation would be that your organisation finds out well in advance how much work it needs to do, what the risks are and how to pragmatically mitigate them.

What constitutes Processing of Personal Data?

The General Data Protection Regulation (GDPR) applies to ‘personal data’. Personal data is data from which an individual can be identified, whether directly or indirectly. The most obvious example would be a name, address and phone number held as contact details. The definition provides for a much wider range of identifiers however, and can include such things as photos, CCTV footage, IP addresses, location data, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual. That list is not exhaustive, the key element is being able to identify an individual. This expansive definition is intended to reflect the changes in the ways in which organisations can collect, process and analyse information about people in the digital age.

Processing of Personal Data has a wider definition than can sometimes be assumed. It can include any operation or set of operations which is performed on personal data or on sets of personal data. This can include processes such as the collection, recording, organisation, structuring, storage, alteration, transmission, use, restriction, erasure or destruction of personal data. This applies whether it is automated, or a paper based manual filing system. It is not only big data processing where a thousand data points are analysed to build a personal profile. Processing under the GDPR is everything from putting paper files into storage, having an exchange server, keeping a contact data base, having employment contracts or using cloud services. Put simply, if you use, hold, transfer, change or destroy data you are processing it.

How might the GDPR apply to ITAM, software licensing and licensing agreements?

Firstly, there are responsibilities when using a vendor to process personal data (e.g. Cloud or even transferring personal data for support or development purposes). Broadly, there are three things that data controllers must do in this regard:

  • Data controllers must perform due diligence in selecting vendors and that are complaint with GDPR.
  • Data controllers must have a contract with their vendors that includes certain provisions to ensure that GDPR is being followed.
  • Data controllers must monitor vendors for compliance.

Beyond these vendor considerations, licensing agreements themselves might include personal data regarding individuals, e.g. name, location, job function etc. Where this is the case and individuals can be identified, you may need to ensure appropriate measures are taken with regard to the requirements of the GDPR (e.g. updating privacy notices, data minimisation, pseudonymization etc etc).

Good ITAM will also play its part in the event of a personal data breach. Knowing what devices the organisation has, who has access, what software is being used and the level of any encryption deployed, could form a key element of avoidance and mitigation of breach.

It’s important to reassure readers that the GDPR is generally not prohibitive of processing personal data but that certain obligations and protections for individuals need to be addressed in order to demonstrate accountability. We should also highlight that if in breach of the Regulation, organisations could be fined up to 4% of their annual global turnover, €20 million or, as seems increasingly likely, could be subject to claims for compensation.

The above is not an exhaustive description of the interplay of ITAM, licensing and the GDPR. It does highlight however, that this is an area worthy of investigation. Derive Logic can help you understand your obligations under the GDPR through our internal knowledge base or through our partnership with Cybercrowd, a leading Information Governance Consultancy.

Contact us today

Call us to find out how we can help your organisation get to grips with this critical area, or alternatively email us at


Expert Blogs from Derive Logic